Qualys Cloud Agent (CA) 


Welcome to Qualys Cloud Agent training. 


Training Documents 
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LJ 
https:/qualys.com/learning 


You willneed to download the training documents needed to complete the Container 
Security course from the Qualys learning portal qualys.com/learning. 


Note that you will need a PDF reader like Adobe Acrobat to view these files. 


Play Lab Tutorials 


Click to 
open Lab 
Tutorial. 


Nevigate to the following URL to view the “Configure Agents for VDR” tutori 

m Maximize 
PLAY 7} Atte! Siar ad TAIF 
ae Screen 


Configure Agents for 
VMDR 
Click Start 
Button 


When you click the link to open a lab tutorial, it will open-up in your default Web 
browser. If you would like to play the tutorial in a different browser, you can copy 
this link and paste it into the address field of another browser. 


When the lab tutorial opens, click the icon in the upper-right corner, to maximize 
your screen size. 


When your ready to play the tutorial, click the start button. 


Agenda 


= Cloud Agent Overview 


= Cloud Agent Installation & Deployment 
« Agent Activation Key 
Installation Components 
« Agent Installation Options 


= Agent Asset Details 


= Cloud Agent Lifecycle and Configuration 


(e) Qualys 


The objectives for this section are: 
1. Provide a high-level overview of CA behaviors and characteristics. 


2. Identify operating systems and Qualys applications supported by CA. 
3. New RedHat CoreOS feature 


Cloud Agent 


Windows agents are installed using an administrative 
account and operate with local system privileges. 


By default, Linux agents run with ‘root’ privileges, but can be 
configured to run in a specific user and group context. 


Serves primarily as a “data collector” for Qualys Platform 
Applications. Assessment testing and data enrichment are 
performed in the Qualys Cloud. 


Findings are tracked by the Qualys Host ID (UUID). 


Windows agents must be installed using an administrative account and will operate 
with system level privileges. 


The agent installation requires root level access on Unix and Linux systems (for 
example in order to access the RPM database). After the Cloud Agent has been 
installed it can be configured to run in a specific user and group context using our 
configuration tool. Caution: this limits the level of access of the Cloud Agent. 


To optimize agent performance and keep its resource consumption low, agents focus 
primarily on data collection tasks (i.e., collecting host data and telemetry and then 
sending it to the Qualys Cloud). Assessment testing, data categorization, 
normalization, and enrichment are performed in the Qualys Cloud. 


Agent findings are tracked by the Qualys Host ID, which uniquely identifies it agent 
host (UUID). 


Agent OS Support 


solaris 


Solaris Linux PPC 64 LE Core OS 


« Qualys Cloud Agent supports multiple operating systems. 


© Qualys. 


Cloud Agents can be installed on host assets running Cloud Agent supported 
operating systems, including: 


e Windows XP SP3 or greater 
e Apple Mac OS X 

e Red Hat Enterprise Linux 
e Oracle Enterprise Linux 
e Amazon Linux 

e SuSE Linux 

e CentOS 

e Fedora 

e Debian 

e Ubuntu 

e FreeBSD 

e IBM AIX 

e Solaris 

e Core OS 


For a complete list of supported operating systems and version numbers, see the 
Cloud Agent Getting Started Guide: https://www.qualys.com/docs/qualys-cloud- 
agent-getting-started-guide. pdf 


Full Stack Solution for Red Hat OpenShift 


Container Sensor 
(Container and Image 
Vulnerability and Compliance 
Assessment) 


Cloud Agent for RedHat 
CoreOS on OpenShift 
4.x 
(Host level assessment) 


In-Container 
Instrumentation 
(Runtime Protection) 


@) Jaulejuo) 


OpenShift 4.x Infrastructure 
Secu rity © Represents an installed Qualys Sensor 


© Qualys. 


At Qualys, we have focused on delivering a full stack solution for Red Hat OpenShift. 
To do this, we utilize both Container Sensors and Cloud Agents. 


As you can see in the diagram, our container sensor solution is deployed as its own 
container. It assesses images and running containers in your runtime environment. 


This solution is technically independent from the Cloud Agent container and provides 
inventory, vulnerability, and compliance assessments; with data merging and sharing 
between modules on the Qualys Cloud Platform. 


Our Container Security Solution has been in the market for a while now and supports 
Docker, Container-D, and Crio runtimes. 


But what about the Host OS? RHCOS does not permit modification of the host. This is 
a powerful security measure. 


That does not mean it is impervious to attack, but it does provide a strong base for 
building excellent layered security solutions. 


Our unique first to market solution, uses an agent-as-container approach. 


Easily deployed, our containerized agent scans the Host OS to provide visibility, 
actionable intelligence, and auditing. 


Qualys full-stack security for Red Hat OpenShift adds visibility, actionable intelligence, 
and security auditing for Red Hat Enterprise Linux CoreOS, the operating system that 
underpins OpenShift deployments for running containers securely. With this new 
offering, Qualys is now the first and only solution with the ability to scan directly into 
Red Hat Enterprise Linux CoreOS in Red Hat OpenShift, so you can manage and 
reduce risk at both the host OS and container levels. Built on the Qualys Cloud 
Platform, Qualys’ solution seamlessly integrates with customers’ vulnerability 
management workflows, reporting and metrics to help reduce risk. 


Cloud Agent for RedHat OpenShift 


Qualys offers the first and only platform to identify and manage threats for 
Red Hat Enterprise Linux CoreOS in OpenShift. 


This new capability enables: 
Continuous visibility of installed software and packages, open ports, and 
Red Hat Security Advisories (RHSA) 
Vulnerability management and patch verification for Red Hat OpenShift 
Easy deployment via container to secure the host operating systems 
without requiring modifications to the host, opening ports, or dealing with 
credentials 
Seamless operation with Qualys Container Security to provide security 
from the host through the container level 


© Qualys. 


Cloud Agent for RedHat OpenShift Installation 


Within the activation key, select install instructions for CoreOS from the list 
and follow the steps for installation. 
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e Download the Qualys Cloud Agent for Red Hat Enterprise Linux CoreOS in Red Hat 
OpenShift Container image tar file from Qualys Cloud Platform. 


Follow the steps in the below guide. 


s-cloud-agent-redhat-openshift-coreos-install- 
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Agent Application Support 


= Vulnerability Management (VM) 
« Continuous Monitoring (CM) 
« Threat Protection (TP) 


Global IT Asset Inventory (Al) 

Policy Compliance (PC) 

security Configuration Assessment (SCA) 
File Integrity Monitoring (FIM)* 

Endpoint Detection & Response (EDR)* 
Patch Management (PM)* 


" Agent Exclusive Application 


Qualys Cloud Agent supports multiple Qualys application modules. 


Qualys Global IT Asset Inventory (Al) is automatically activated for all agents. When 
the VM module is activated for an agent, Continuous Monitoring (CM) and Threat 
Protection (TP) are included. You can activate Policy Compliance (PC) or Security 
Configuration Assessment (SCA) for an agent, but not at the same time. 


Qualys File Integrity Monitoring (FIM), Endpoint Detection & Response (EDR), and 
Patch Management are agent exclusive applications (i.e., they are not supported by 
other Qualys sensors). 


Three options are provided for activating application modules: 
1. Agent Activation Key 

2. Host “Quick Actions” Menu 

3. CA Application Program Interface (API) 


11 


@ Qualys Community Discussions Blog Training Support 


Q, Search documentation qualys.com/documentation/ 


Sensors 


Cloud Agents 
Online Help 
Getting Started Guide 


= Consult the “Platform Availability Matrix” 
within the Cloud Agent Getting Started 
Guide, for specific OS version and 
application support details. 


Windows Installation Guide 
Linux Installation Guide 
Unix Installation Guide 

Mac Installation Guide 
Gateway Service User Guide 
BSD Installation Guide 
Release Notes 

Training 


Cloud Agent (CA) API 


® Qualys. 


For a complete list of supported operating systems and version numbers, see the 
Cloud Agent Getting Started Guide: qualys.com/documenttion 
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Agents Collect Data 


Agents are designed to capture OS and application metadata, 
including installed applications, registry keys, running processes, 
and system configurations. 


Qualys application modules provide their own “manifest” identifying 
data to be collected. 


AGENT data is uploaded to the Qualys Platform for assessment, 
analysis, correlation, reporting, and alerting. 


Data “snapshot” transmissions to the Qualys Cloud focus on 
detected changes (deltas). 


Data collected by a Qualys Agent is called AGENT data. 
® Qualys. 


Functioning in the “data collector” role, agents collect everything needed by its 
activated Qualys application modules. Each agent supported application module 
identifies tasks to be performed and data to be collected, in a manifest. There are 
different manifests for each Qualys application module. 


By design, the processing of agent data begins only after it is successfully transferred 
to the Qualys Platform. This helps to minimize the number of resources need by the 
agent. 


Once the initial data “snapshot” has been successfully transferred to the Qualys 
Platform, all successive data transfers focus exclusively on the things that have 
changed (deltas). 


Data collected by a Qualys Agent is referred to as AGENT data. This contrasts with the 
data collected by a Qualys Scanner Appliance, which is referred to as SCAN data. 
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Cloud Platform 


Corporate Environment 


To begin data collection an agent must be installed/deployed to a host. 


Once the agent has successfully downloaded its application manifest(s), data will 
be collected to produce a host snapshot. 


This “snapshot” is then sent to the Qualys Cloud for processing. 
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Cloud Agent Benefits 


Extends visibility to assets not easily scanned: 
Remote users working from home. 
Assets behind network load balancers or filtering devices. 


Ephemeral assets with erratic processing cycles. 
More frequent visibility of critical assets without increasing network 
traffic (via delta uploads). 


Works well with host assets that frequently change names or IP 
addresses (uses Qualys Host ID tracking). 


Agents do not rely on Authentication Records. 


Qualys FIM, EDR, and PM are agent exclusive applications (i.e., 
Cloud Agent is required). 


Cloud Agent extends visibility to assets not easily scanned, including roaming 
devices such as laptops, remote users working from home, ephemeral cloud 
instances that are not always online, and assets behind network filtering 
devices or load balancers. 


Once the initial data “snapshot” has been successfully transferred to the Qualys 
Platform, all successive data transfers focus exclusively on the things that have 
changed (deltas). This can significantly reduce the amount of bandwidth typically 
consumed by traditional scanner appliances, allowing you to monitor critical hosts 
more frequently. 


By default, agents track findings by the Qualys Host ID, making it ideal for hosts that 
frequently change names or IP addresses. 


Cloud Agent installs as a local service with SYSTEM level privileges and does not 
require authentication records to access local system data and artifacts. 


Cloud Agents are required by the Quays FIM, EDR, and PM applications. 
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(e) Qualys 


The objectives for this section are: 

Identify and understand the steps to complete an agent installation. 
Learn to build an Agent Activation Key and identify its components. 
Understand the different agent deployment options. 

Identify the signs of a successful agent installation 

New MSI Extract Feature 


UU AUNE 
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Agent Activation Key es 


1. Activation Keys allow you to 
manage and control the 
distribution of Cloud Agents. 


Add a "static" tag to each key 
to label and track agent hosts 
deployed. 


Application modules selected 
will be activated at agent 
deployment. 


Create keys without limits or 
set limits by maximum 
number of agents or 
expiration date. 


Activations Keys contain the components to successfully deploy agents. You must 


Edit the activation key 


An activation key ia used Io netall agents. This provides a wey ko group egerts and beter manage your 
seco. By default this hey is unlimited - it allows you to add ary number of agents at any ime 


rie @ CA LID Activation fey 


Provision Key for these applications 


a Asset Inventory = ca Patch Management 


a |w | Vulnerability Management O Policy Compliance 


n j Moni 
m eee mere and Response m FIM ruo rt onitoring 


o SCA 


Set limits 0 


Close 


Secure Config Assessment 


first create one or more Activation Keys, before installing an agent. 


Qualys recommends adding a “static” tag to an Activation Key, to easily identify the 


assets it deploys. 


Any application module selected in the key will be activated at the time of 


deployment. Application modules not selected can always be activated later (after 


deployment). 


Options are available to limit the number of agents deployed with any key. 
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Activation Key Limits 


Set limits 


You can set limits for more control over your activation keys - maximum number of agents or expiration date. When 
both are set, the key will expire when the first limit is reached. 


Key limited by count 
Tell us the maxamum number of agents that can be installed using this key. 


Maximum number: 5000 


Key limited by date 
Allow installation of an unämited number of agents up until this date. 


Date: 


= Create keys that are unlimited or choose the option to set limits. 
= If both limits are selected, the key will expire when the first limit is reached. 


© Qualys. 


An Activation Key can deploy an unlimited number of agents, or you can set limits. 


1. Specify the maximum number of agents deployed with a key. 
2. Specify an expiration date for the key 


If both limits are selected, the key will expire when the first limit is reached. 
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Lab Tutorial 1 


Create Activation Key (pg. 3) 


Create CA Lab Activation Key 

Create and add a static tag (CA Lab) to key 
Add application modules to key 

No restrictions or limits 

Generate key 
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Install Agents 


Á fee linga fo know belone you metell agents 


Be I A ORTER EER OO RRR Select the “Install Agent” option 
deine” Key a from the Quick Actions menu of 
installation Requirements any Activation Key. 


= a m j x : 
Each Activation Key contains 


— installation instructions for agent 
supported operating systems. 


Click "Install Instructions” for any 
OS, to view its instructions and 
download the agent installation 
components. 


To acquire the installation instructions and artifacts for an Activation Key, open its 
“Quick Actions” menu and select Install Agent. 


Click “Install Instructions” for any OS, to view its instructions and download its 
agent installation components. 
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Installation Components 


Install Agents Run the agent 
installer on a target 
Steps to Install the Windows Agent h t e th 
Download the agent installer (file size 15.4 MB) ost, using e 
File will be saved to your dowrioads area, as defined by your local system provided installation 


Copy QualysCloudAgent.exe to the hast you want to monitor and run command, or usa group policy or a systems 
management tool, Click here to troubleshoot com mand. 


For agart version 4.3 and above, make sure to provide the WebService parameter in the installation command ta 
instal or upgrade the agent 


Press CTRL-C to 


zer 
Copy and paste thes command for installation: 


QualysCloudAgent.exe Customerld={4058fe89-Bcaa-fch6-8373-c2a56ffaldb9} 1. Agent installation 
ActivationId={dcf48885-3 16b-4230-b40d-al ScBe32db5a}> command 
WebServiceUn=https: //qagpublic.qg3.apps.qualys.com/CloudAgent/ 


2. Agent installer (.exe, 


‚rpm, .deb, . 
Om Pm 4 Po) 


= When using third-party applications to build custom deployment packages, 
these two components should be included. 


® Qualys. 


The primary agent installation components include: 


1. Agent installation command 
2. Agent installer 


These two components must be included in your installation packages 
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Lab Tutorial 2 


Agent Installation Components (pg. 6) 


Download installation components for Windows agent 
Use CA Lab Activation Key to install agent 

Download agent installer 

Copy installation command 
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MSI Extract 


Traditionally, the Cloud Agent has relied on .exe for 
installation. 


As an admin you can preconfigure a msi file to make easy 
deployment within an organisation 


Starting with CA version 4.5 and above, Qualys will be 
supporting MSI Install . 


Use Case for MSI: 


e It's relative easy to make a tree of msi files, and as an admin you can preconfigure 
a msi file to make easy deployment within an organisation 


e You might want more precise control over how the installation is managed. An MSI 
has very specific rules about how it manages the installations, including installing, 
upgrading, and uninstalling. 


From the high-level user's perspective, the new setup is an exe containing the setup 
components to install Qualys agent on the target machine. The exe contains two MSIs 
— one for 32-bit machines, and another one for 64-bit machines. The exe would 
extract the correct MSI and invoke the MSI engine to begin the installation process. 
The exe can also be instructed to only extract the MSI/MSI(s). 
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MSI Extract 


To extract MSI from the downloaded exe file, run the following command: 
QualysCloudAgent.exe ExtractMSI=<value> 
Any agent version above 4.5 will support MSI. 


For ExtractMSI, use following values (value) as per host architecture. 


For example, if you want to install cloud agent on 64-bit machine, you need to 
extract MSI package with value for ExtractMSI=32. 


To extract MSI from the downloaded exe file, run the following command: 
QualysCloudAgent.exe ExtractMSl=<value> 

For ExtractMSI, use following values (value) as per host architecture. 

For example, if you want to install cloud agent on 64-bit machine, you need to extract 
MSI package with value for ExtractMSI=64. 

- 32: Extracts 32-bit MSI Installer 

- 64: Extracts 64-bit MSI Installer 

- BOTH: Extracts both (32-bit and 64-bit) the MSI Installers 

- AUTO: Extracts the appropriate MSI based on the OS architecture. It extracts 32-bit 
MSI on a 32-bit machine and 64-bit MSI on a 64-bit machine 
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MSI Extract 


- 64: Extracts 64-bit MSI Installer 


C:\Users\Administrator\Downloads>WindowsCloudAgent. 


: \Users\Administrator\Downloads>Windows 


xe ExtractMSI=both 


To extract MSI from the downloaded exe file, run the following command: 
QualysCloudAgent.exe ExtractMSI=<value> 

For ExtractMSI, use following values (value) as per host architecture. 

For example, if you want to install cloud agent on 64-bit machine, you need to extract 
MSI package with value for ExtractMSI=64. 

- 32: Extracts 32-bit MSI Installer 

- 64: Extracts 64-bit MSI Installer 

- BOTH: Extracts both (32-bit and 64-bit) the MSI Installers 

- AUTO: Extracts the appropriate MSI based on the OS architecture. It extracts 32-bit 
MSI on a 32-bit machine and 64-bit MSI on a 64-bit machine 
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MSI Extract 


- AUTO: Extracts the appropriate MSI based on the OS architecture. It extracts 
32-bit MSI on a 32-bit machine and 64-bit MSI on a 64-bit machine 


® WandowsCloudAgert 
iy ee 
2 


The MSI file will be extracted in the same directory where exe file is available. 
-Installing MSI Package 


Qualys Cloud Security Agent 


fe Please wat while Windows configures Qualys Cloud Securty Agent 


oO 


Copy the Qualys Cloud Agent installer onto the host where you want to install the 
agent, and run the command or use a systems management tool to install the agent 
as per your organization's standard process to install software. Following is the 
sample command for installing MSI package for 32-bit installer: 

Msiexec.exe /i CloudAgent_x86.msi Customerld={12345678-1234-1234- 1234- 
123456789012} Activationld={12345678-1234-1234-1234- 123456789012} 

Here CloudAgent_x86.msi is extracted MSI file for 32-bit installer. 
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Pre-installation Checks 


Verify host OS is supported by Cloud Agent. 
Verify host OS patches and root certificates are up-to-date. 


Ensure you have Platform Platform identifier Username Format Platform URL 
acquired the agent 

installation components 

for the target OS: 


1. Agent Installer 

2. Installation Command 
Verify target host can 
access the Qualys 
Platform. 


www. qualys.com/platform-identification/ 


Before attempting to install or deploy agents, ensure the target OS is supported by 
Cloud Agent and that you have acquired the correct installation components. 


Next, you want to verify you have connectivity between each target host and the 
Qualys Cloud Platform. There are test URLs for each public platform. Add these URLs 
to agent deployment packages (SCCM, BigFix, etc.) to test for successful connectivity, 
before installing the Cloud Agent. 


Its a good idea to update OS patches and root certificates (on target hosts) before 
installing Cloud Agent. 


Starting with the Windows 1.6.0 agent version, the agent and installers are signed 
with an Extended Validation (EV) code-signing certificate. This requires the OS to 
validate the signed executables using certificates from the trusted root CA. You will 
encounter errors in the agent log file, if the appropriate root certificates are not 
installed. 
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Agent Deployment Options 


1. Software distribution tools 
« Automate agent deployment using popular third-party tools (e.g., SCCM, 
Chef, Ansible, Puppet, BigFix, Casper, Altiris, etc...) 
2. Gold Image (virtual host) 
¢ Install Cloud Agent in “master” image. 


¢ If anew instance has the same Qualys Host ID (as the “master” image), the 
agent will renegotiate a new Host ID with the Qualys Platform. 


3. Command line (used in our training lab, today) 
¢ Manual installation. 
¢ Highlights the various elements of an agent installation. 


Use third-party software management and distribution applications to perform large 
scale agent deployments. 


You can also install the agent in a master or gold image. Each new instance created 
from the master image may potentially have the same Qualys Host ID as the “master” 
image. In this case, the agent will renegotiate its UUID with the Qualys Cloud 
Platform. 


In this course you will manually install an agent from the command line. This will 
help to highlight the different components required for an agent installation. 
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Lab Tutorial 3 


Command Line Installation (pg. 9) 


Agent installer and installation command have been downloaded to Windows 
host 

Verify the presence of the agent installer and execute the installation command 
Open Task Manager and verify Qualys Cloud Agent process is running 

Navigate to \ProgramData\Qualys\QualysAgent and display the contents of 
Log.txt 
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Verify Agent Installation 


Qualys Cloud Agent Process 


er Look for the Qualys Cloud Agent 
ape eS process in Windows Task 
Manager. 


Processes Performance App history Startup Users Details Services 
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ee Microsoft Windows Search Inde.. 
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| Fewer details 


Following a successful agent installation, the Qualys Cloud Agent process will appear 
in Windows Task Manager. View a list of running processes on a Unix or Linux host to 
view the Cloud Agent process (i.e., qualys-cloud-ag). 


Verify Agent Installation 


Qualys Host ID 


Look for the Qualys Host ID in 
the Windows Registry: 


HKLM\SOFTWARE\Qualys 


Unix-based hosts store the 


Qualys Host ID in the ‘hostid’ 
Qualys Host ID is the default file: 
tracking method for agent hosts. ie. 


/etc/qualys/hostid 


« Provisioning tasks typically have not completed if Qualys Host ID is not present. 


« EXCEPTION: “Gold Images” and hosts configured for Agentless Tracking may 
already have a Qualys Host ID. 
@ Qualys. 


The presence of a Qualys Host ID is a good indicator that the agent has 
successfully contacted the Qualys Cloud Platform. On Windows hosts the 
Host ID can be found under the Qualys registry key. On a Unix or Linux host 
the Host ID is stored in a plain text file (/etc/qualys/hostid). 


If an agent host has not acquired its Host ID, provisioning may still be in- 
progress or the agent was unsuccessful in contacting the Qualys Cloud 
Platform. 


NOTE: Virtual hosts (created from a gold or master) image may potentially 
already have a Qualys Host ID. We'll examine a couple of solutions to this 
challenge, in the “Provisioning” discussion, later. 


If the “Agentless Tracking” feature is enabled in Qualys VM, VMDR, or PC, a host may 
have already received Its Qualys Host ID, before an agent is installed. In this case, the 
agent will simply use the Qualys Host ID provisioned by the Agentless Tracking 
feature. For more information on the “Agentless Tracking” feature, please see the 
Qualys “Scanning Strategies & Best Practices” and “Reporting Strategies & Best 
Practices” training courses. 
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Verify Agent Installation 


Cloud Agent Log File 


iF 
— « Local Disk (C2) ProgramData 
5 J 
lim 
gh Quick access 
E Vesttos 
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ZI This PC 
ah Hewer: 
= Windows: \ProgramData\Qualys\QualysAgent\Log.txt 
=» Unix: /var/log/qualys/qualys-cloud-agent.log 


Searching the CA log file will reveal agent connection attempts that are 
successful (return code 2xx) and unsuccessful (return code 4xx, 5xx). Itis 
best to search the end of the CA log file for the most recent connections 
attempts. 


On a Linux host search for the character string “Http request.” On a Windows 
host search for the character string “Http status.” 


HTTP Status Codes: 
1xx Informational. 
2xx SUCCESS. ... 

3xx Redirection. ... 
4xx Client Error. ... 
5xx Server Error. 


Members of the Qualys Technical Support team will typically request a copy of 
your agent log file, when working on agent support calls: 

e Unix/Linux: var/log/qualys/qualys-cloud-agent.log 

e Windows: \ProgramData\Qualys\QualysAgent\Log.txt 


See Lab Appendix D, to learn about the information that is useful when 
working with the Qualys Technical Support Team. 
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CA Log File Videos 


= Visit the Qualys Training Video Library for more information and 
details on agent log analysis and troubleshooting: 


Introduction to Troubleshooting & Log Analysis 
Troubleshooting & Log Analysis -— Common Errors 
Troubleshooting & Log Analysis — Unix/Linux Distribution 
Common Errors and Their Solutions — Unix/Linux Distribution 


https://www.qualys.com/training/library/cloud-agent/ 


Introduction to Cloud Agent Log Analysis - https://vimeo.com/412764672 
Cloud Agent Troubleshooting - Common Errors - 
https://vimeo.com/412762742 

Cloud Agent Log Analysis — Unix/Linux Distribution - 
https://vimeo.com/418215691 

Common Errors and Their Solutions — Unix/Linux Distribution - 
https://vimeo.com/418218290 
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@ Qualys Community Discussions Blog Training Support 


Q Search documentation qualys.com/documentation/ 


= See Appendix: A, B, and C of the Lab 
Tutorial Supplement for Linux and Mac OS 
installation steps. 


Visit the Qualys Community Documentation 
page to view detailed installation guidelines 
for agent supported operating systems. 


Sensors 


Cloud Agents 

Online Help 

Getting Started Guide 
Windows Installation Guide 
Linux Installation Guide 
Unix Installation Guide 

Mac Installation Guide 
Gateway Service User Guide 
BSD Installation Guide 
Release Notes 

Training 

Cloud Agent (CA) API 


© Qualys. 


While the lab tutorials in this course illustrate a Windows agent installation, you'll 
find Linux and Mac OS examples in Appendix A, B, and C of the Cloud Agent Lab 


Tutorial Supplement. 


For the most current agent installation information, consult the Agent OS Installation 
Guides found on the Qualys Community (qualys.com/documentation). 
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(e) Qualys 


The objectives of this section are: 
1. Outline the need for proxy servers or Qualys Gateway Servers. 
2. Provide a comparison of Windows and Linux proxy options. 


See “Proxy Configuration” in the lab tutorial supplement for this course for more 
proxy configuration details. 
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Agents and Proxies 


In an environment without proxy servers, Qualys Cloud Agents will 
communicate directly with the Qualys Platform on TCP/443. 


Agents can also be configured to communicate through a proxy 
server, including Qualys Gateway Server (QGS). 


QGS also provides a cache for patch downloads and other agent 
artifacts including manifests and agent binaries. 


By default, Windows agents use the same proxy configuration as 
their host OS. 


By default, Linux agents operate in non-proxy mode. 


In an environment without proxy servers, Qualys Cloud Agents will 
communicate directly with the Qualys Platform on TCP/443. 


Agents can also be configured to communicate through a proxy server, 
including Qualys Gateway Server (QGS). 


QGS also provides a cache for patch downloads and other agent artifacts 
including manifests and agent binaries. 
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TLS 1.2+ Required 


TLS 1.2 (or greater) must be enabled on client machines to communicate 
with the Qualys Cloud Platform. 


Agent host assets that do not meet this requirement will need to 
communicate with the Qualys Platform through a proxy server that 
supports TLS 1.2+. 


Use Qualys Gateway Server (QGS) to meet this TLS 1.2+ requirement. 


TLS 1.2 (or greater) is a host requirement, for communicating with the Qualys Cloud 
Platform. 


Any agent host that does not meet this requirement (e.g., Windows XP and Windows 
Server 2003) will need to communicate with the Qualys Platform through a proxy 
server that supports TLS 1.2+. Qualys Gateway Server meets this requirement. 
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Proxy Configuration 


= Windows agent proxy settings are stored under the Qualys registry key 
(HKLM\SOFTWARE\Qualys\Proxy). 


Data 


(value not vet) 
_, _HKEY_CURRENT_USER 
w- | HKEY LOCAL MACHINE 
w- SOFTWARE 


https /rrry-prosy 1 ‘ROAD tops! /rry-proxy?: ord 


vo  Qualy: 
Poy om 
J Quahriägert 


Computer\HKEY_LOCAL MACHINE, SOFTWARE Qualys\Prony 


= Linux agents can be configured to use an HTTPS proxy, using the following 
configuration files: 
l. /etc/sysconfig/qualys-cloud-agent (.rpm) 


2. /etc/default/qualys-cloud-agent (.deb) 


/etc/environment (.rpm and .deb) 


Windows agent proxy configuration can be accomplished by creating and editing the 
Qualys Proxy registry key (HKLM\SOFTWARE\Qualys\Proxy). The Qualys Proxy utility 
(QualysProxy.exe) will automatically create this key, if it is not already present. 


Any application that can access the Remote Registry Service (including GPMC, Group 
Policy, WMI, etc...) can create or modify agent proxy configuration settings. 


By default, Linux agents operate in non-proxy mode. Agents can be 
configured for proxy communications using the ‘qualys-cloud-agent’ proxy 
configuration file: 

e /etc/sysconfig/qualys-cloud-agent (.rpm) 


e /etc/default/qualys-cloud-agent (.deb) 


If this file does not already exist, you must create it. Both .rpm and .deb 
environments support file /etc/environment. 
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@ Qualys Community Discussions Blog Training Support 


Q, Search documentation qualys.com/documentation/ 


Sensors 


Cloud Agents 
Online Help 
Getting Started Guide 


Windows Installation Guide 
= Visit the Qualys Community Documentation Linux Installation Guide 
page to view installation guides containing Unix Installation Guide 
OS specific proxy configuration details. Mac Installation Guide 
Gateway Service User Guide 
BSD Installation Guide 
Release Notes 
Training 


Cloud Agent (CA) API 


© Qualys. 


For the most current agent installation information, consult the Agent OS Installation 
Guides found on the Qualys Community (qualys.com/documentation). 
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(e) Qualys 


The objectives for this section are: 

1. Identify the agent asset details provided by the Cloud Agent application and other 
Qualys applications. 

2. Learn to use the Qualys Query Language (QQL) and Query Tokens, to search for 
agent assets. 
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Agents Tab 


a Agent Management Agents Activation Keys Configuration Profiles 


Agent Host 05 Version Asset Surmmary 


winiödtw2 EJ m Mirosso Win... 4.2.0.8 WINIS-CA-CS2 um 
= Mirow Winden Server 2019 Datsconser 10.0 ITMI Gi bk HA Roki 17759 


192.168.1238) fe 
Ken / Pte Gor 


View Ascot Cotals 
Add Tags mem Acaton Last Location 


Ass gn Goslig Profile 
- ONS Mona wine] 
Dasactwatn Agert FODH WIN '9-C4-COl WORK GROUP 


Unirstal Apert MEES Neve WNISCACSI 
Paa keen 


Active bor FIM ar IOC er PM a SA 
FA Lete 


N oi 
Lani Doet 6 mima ape 22 PM 
Commected Prom: S4202 164 419 


= Use the “Quick Actions” menu to 
view asset details. nn O 


6 minutes ago È N PM 
$ weeetes age 2 11 PM 


Use the “Quick Actions” menu for any agent host listed in the Cloud Agent 
application, to view specific asset details. 


The Asset Summary displays host OS details, geolocation information, names and 
addresses, activity updates, and Asset Tags. 


The very next lab tutorial provides a quick tour of the various asset detail 
components. 


Lab Tutorial 4 


Asset Details & Queries (pg. 17) 


View asset details for host with all agent modules activated 

Display all "View Mode” options including GCP Instance Information 

Use lastCheckedIn query token find agent host that have not checked-in for seven 
days 

Download the result set into a spreadsheet (.csv) file. 
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Search for Assets 


Seved Searches « 
ret untChechedin > row 7d not lastCheckedin > now-7d 


CyberSecurity Asset Management HOME DASHBOARD INVENTORY TAGS NETWORK RULES 
u 


Assets 


tags.name: "Cloud Agent" tags.name:"Cloud Agent" 


Wini2R2-CA-MA B Microsoft Windows.. ‘Microsoft 
mincantar 


Virtual Machire 


ubntusrv-ca-ma.u3hiwf310uhud... @ Canonical Ubuntu È Micrasaft 
IRI4ITS 13.04.7125 wre 


* All agent hosts are labeled with the “Cloud Agent” Asset Tag. 


One of the more useful queries (when searching for agent hosts) uses the 
“lastcheckedIn” query token, which can help you to identify agents that are failing to 
communicate with the Qualys Platform. For example, if someone manually uninstalls 
an agent from its host (without using the Qualys UI or API), a stale host record will 
remain in your account, until you remove it. Use the “lastCheckedIn” token to help 
you find stale agent hosts, using a timeframe of your choice. 


All agent host assets are labeled with the “Cloud Agent” tag. Using the “tags.name” 
token (with a value of “Cloud Agent”) will help you to find agent host assets from the 
search field of any Qualys application. 
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How To Search 


& Agent Management Activation Keys Configuration Profiles 


Saved Searches + 


* Click the “Help” 
icon inside the 
“Search” field for 
more information 

How to Search on building queries 


not lasitheckeadin > now-7d 


® Qualys Cloud Agent 


and using the 
Qualys Query 
Language (QQL). 


Information and examples for using Qualys Query Language (QQL) to build effective 
queries can be found by clicking the “Help” icon, inside the “Search” field. 
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(e) Qualys 


The objectives of this section are: 
1. Identify and define the Cloud Agent lifecycle of events, including: 


Agent Provisioning 

Download Agent Configuration Profile 
Agent Upgrades 

Agent Status Interval 

Agent Data Collection 

Download Application Manifests 
Agent — Platform Synchronization 
Activate, Deactivate, Uninstall Agents 


2. Learn to build and configure a CA Configuration Profile. 
3. Understand the different agent data collection methods. 
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Cloud Agent Lifecycle Events 


Agent Provisioning 


Configuration Profile Download 
Agent Status Interval (heartbeat) 
Agent Version Upgrades 


Data Collection and Upload 
Manifest Download 
Agent-Platform Synchronization 
Activate/Deactivate Application Module 


Agent Uninstall (if necessary) 


Throughout its life, an agent will go through a series of events or workflow. Agent 
provisioning was demonstrated in the first part of this course. 


When provisioning is successful an agent will download its configuration profile. A 
configuration profile specifies various agent behaviors and characteristics. Other 
lifecycle events are controlled by settings in the downloaded configuration profile, 
including: 1) Agent Status Interval, 2) Agent Version Upgrades, and 3) Data Collection 
Methods. 


A manifest is downloaded for each activated agent application module. Data 
collection will begin immediately, following the download of a new or updated 
application manifest. 

Once an agent has successfully transferred its first data “snapshot” to the Qualys 
Platform, it will regularly perform synchronization checks, to ensure data on both 


sides is accurate and consistent. 


Application modules can be activated or deactivated for individual or entire groups of 
agents. 


Uninstalling an agent will free its license for use elsewhere. 
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Cloud Agent Activity 


Agent Host os Version Last Activity ~ |Last Checked In Configuration Agent Modules Tags 
win10dtw239 BE Merrosct Wir... 4204 Scan Complete 3 hours ago CA Lab Profile gu 3 Cloud Agen 
92 168.1.239, fad 3 hours ago CALab 


Provisioned — Agent successfully connected to the cloud and registered. 


Configuration Downloaded — The agent has successfully downloaded a new or updated 
Configuration Profile. 


Manifest Downloaded — The agent has successfully downloaded a new or updated manifest. 
Agent Downloaded — A new agent version was downloaded and the agent was auto-updated. 
inventory Scan Complete — Agent successfully collected and uploaded host inventory data. 


Scan Complete — Agent successfully collected and uploaded host meta data for assessment on 
the the Qualys platform. 


® Qualys. 


As agents complete various lifecycle events, an event message is displayed in the 
host’s “Last Activity” column. 


To view a comprehensive list of events for any agent host, refer to the agent log file. 


Agent Provisioning 
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Provisioning 


Ge Administrator: Command Prompt 


C e 


j 
f 


Agent calls home with Customer ID and Activation ID 
Platform validates Agent 
Agent generates Qualys Host ID (UUID) 
ab) HostID REG_SZ F93D274F-7119-4E74-9B7B-C71A3408A196 


EXCEPTION: “Gold Images” and hosts configured for Agentless Tracking 
may already have a Qualys Host ID. 
© Qualys. 


Provisioning is the first request an agent performs, following a successful installation. 
The provisioning step requires a valid Customer ID and Activation ID to be successful. 
When verified, the agent generates its Qualys Host ID (UUID) and submits it to the 
platform. 


At the completion of provisioning, the agent does not perform any subsequent 
provisioning methods except in the case of duplicate agent UUIDs. Agents that cannot 
communicate to the platform for provisioning will keep retrying with an exponential 
backoff algorithm (current interval * 1.5 = next interval). The initial current interval is 
60 seconds. 


If the “Agentless Tracking” feature is enabled in Qualys VM, VMDR, or PC, a host may 
have already received Its Qualys Host ID, before an agent is installed. In this case, the 
agent will simply use the Qualys Host ID provisioned by the Agentless Tracking 
feature. For more information on the “Agentless Tracking” feature, please see the 
Qualys “Scanning Strategies & Best Practices” and “Reporting Strategies & Best 
Practices” training courses. 
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Clone Detection 


= Common in virtual host deployments from a “master” image. 


= CAhas already been provisioned within the “master” image, including the 
Qualys Host ID. 


Each virtual host created from the “master” image will initially have the same 


Qualys Host ID (as the master image). 


Qualys platform will issue a re-provision command if Agent ID is 
already in use. 


Prevents the same Agent ID (Qualys Host ID) from being used by 
more than one host. 


© Qualys. 


The platform has a feature to detect duplicate agent IDs and trigger the agent to 
reprovision with a newly generated agent ID. This feature is always enabled and not 
exposed as a configurable setting. 


The most common case where duplicate agent IDs are created is when an agent is 
provisioned in a gold image that is used to create clones. In this case, cloned agents 
will have the same UUID as the agent in the gold image thus creating duplicate agent 
IDs in the platform when the cloned agents connect. 
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© Qualys. Community Discussions Blog Training Docs Support 


Q, search documentation qualys.com/documentation/ 


Sensors 


Cloud Agents 
Online Help 
= Configuration steps are available in some Getting Started Guide 
of the agent OS Installation Guides to build Windows Installation Guide 
a gold image without provisioning the Linux Installation Guide 
Qualys Host ID. Unix Installation Guide 


Mac Installation Guide 


Gold image will not consume an agent Gateway Service User Guide 


license. BSD Installation Guide 
è 6 ó Release Notes 
= Avoids agent re-provisioning. 


Training 


Cloud Agent (CA) API 


® Qualys. 


When building a master image, avoid renegotiation by deploying agent on host that is 
disconnected from the network (i.e, prevent the agent from provisioning). 


51 


Download Configuration Profile 


52 


CA Configuration Profile 


= Agents can only use one Configuration Profile at-a-time but 
may change from one profile to another. 


Configuration Profile Edit 


Configuration Profiles provide: 


Configure a profile for your agents 


Custermare agent behavior by Gefining a configuration profile Det rer“ O Suspending data collection 


Profile Name* 
CA Lab Profis 


Preventing auto-updating of agent 
binaries 


Criter a regnen tor Fis corfigeration oro” O Blackout Wind OWS 
Description 
Lab Taria Onid Agat Contention Peat o Agent Performance Settings 


Assigned Hosts 


Data collection intervals and options. 


® Qualys. 


Agents can only use one Configuration Profile at-a-time but may change from 
one profile to another. 


Each Configuration Profile contains settings for: 
e Suspending data collection 

e Preventing auto-updating of agent binaries 

e Blackout Windows 

e Agent Performance 

e Assigned Hosts 

e Agent Scan Interval 


e Data collection options 
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Lab Tutorial 5 


Cloud Agent Configuration Profile (pg. 19) 


1. Create the CA Lab Configuration Profile 
2. Complete all Configuration Profile Creation steps: 


Define General Info settings 

Define Blackout Windows 

Customize agent performance and select the LOW presets 

Define Agent Status Interval 

Define Delta Upload Interval and Chunk sizes for file fragment uploads 
Define Logging Level 

Define CPU Limit and CPU Throttle 

Add “CA Lab” tag to Assigned Hosts 

Briefly define Agent Scan Merge. The lab tutorial supplement provides 
more details on agent scan merge (pages 23 — 25) 

Define VM, PC, SCA scan intervals 

FIM and EDR are defined but not enabled 

PM is enabled by default 


3. Explain Configuration Profile precedence 
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Configuration Profile Precedence 


am Agent Management Agents Activation Keys Configuration Profiles 


Now Profile‘ Drag profiles to change the order in which they will be applied 
Order + Profile Name 
High Performance with FIM and IOC 


EC2 Nano and Micro Instances 


POS Terminals 


= The “Default” profile will be used for any agent host not assigned to a Configuration Profile. 


= If an agent host is assigned to more than one profile, the profile closest to the top of the list 
will take precedence (top-down). 
® Qualys. 


You can create multiple Configuration Profiles for your needs. There is a precedence 
that occurs. If an agent is assigned to more than one profile; the highest priority 
profile will be assigned to the host. 


A Default profile also exist for hosts that do not have one assigned explicitly. 


Configuration Profile: General Info 
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Suspend Data Collection 


Configuration Profile Edit 


Tum help tos: On 


Edit Mode Configure a profile for your agents 


General Info Customize agent behavior by defining a configuration profile. u as 


Blackout Windows Profile Name* 
CA Lab Profile 
Performance 


Assign Hosts 


Agent Scan Merge 


= Although not commonly used, selecting this option will stop agents 
from performing VM, PC, SCA, and Inventory scans. 


= Agents will continue to get manifest updates, configuration updates, 
and even agent version updates. 
© Qualys. 


The General Information settings establish things like the profile name and 
description, along with some default data collection and update options. Only one 
profile can be designated as the default profile for your subscription. If an agent host 


does not meet the host assignment criteria for any other configuration profile, the 
default will be used. 


The option to suspend data collection from agents will effectively stop the agent from 
performing VM, PC, SCA and Inventory scans. Although scanning has stopped, agents 


will continue to receive manifest updates, configuration updates and agent version 
updates. 
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Cloud Agent Upgrades 


= By default, Cloud Agents will automatically upgrade to the latest version 
= ~80% of all agents have the auto-upgrade option enabled. 


Configuration Profile Edit lum help Sps: Or 


Edit Mode Configure a profile for your agents 


i ae iat ag agian prin 


Blackout Windows Profile Name* 


CA Lab Profie 
Performance 
- 1 Make this the default profile for the subscription 


Assign Hosts ’ r or . 
s | Suspend data collection for VM, PC, SCA and Inventory for all agents using this profile 
Prevent auto updating of the agent binaries 


Enter a description farihjs configuration profile 


= To certify and upgrade agents via a third-party software manager, click the 
"Prevent auto updating of the agent binaries” check box. 


® Qualys. 


By default, agents will automatically upgrade to the latest agent version. It is very 
common to find agents configured in the “auto-upgrade” mode. 


Enable the “Prevent auto updating of the agent binaries” option, if you intend to use 
third-party software management and distribution tools (e.g., SCCM, RPM, BigFix, 
Casper, Altiris, etc...) to perform agent upgrades. This feature supports an 
organization’s change management policies, allowing for testing and certifying new 
agent versions before they they are released into production environments. 
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End-of-Service Cloud Agent Versions 


= Cloud Agent versions that are no longer supported: 


Platform End-of-Service Agent Version Latest GA Date 
Windows Prior to 2.1 May 2018 


Linux Prior to 2.0 April 2018 
IBM AIX Prior to 2.0 November 2017 
MacOS Prior to 2.0 June 2018 


ACTION REQUIRED: Upgrade your cloud agents to the latest version and 
take advantage of new agent features. 


© Qualys. 


Some older version of Cloud Agent have reach end-of-support and should be 
upgraded to the latest version to take full advantage of new features and benefits. 
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Find Agents No Longer Supported 


There are multiple ways to find End-of-Service agents: 


= Search for QID 105961 “EOL/Obsolete Software: Qualys Cloud Agent 
Detected” (CA, AV): 


vulnerabilities.vulnerability.qid:105961 


Search by Agent Version (CA, AV, Al): 


agentVersion<2.1* 


Search by Software Lifecycle Stage (Al): 


software: ((name:Qualys) and (lifecycle.stage: 'EOL/EOS' ) ) 


Cloud Agent Dashboard 


Here are a few ways to find end-of-service agents: 
Search for QID 105961 “EOLObsolete Software: Qualys Cloud Agent Detected.” The 
“vulnerabilities.vulnerability.qid:” token, is presently supported 


in the Cloud Agent and AssetView applications. 


Seach for EOS agent versions. The “agentVersion:” token is supported in CA, AV, and 
Al. 


Seach for ‘EOL/EOS’ software lifecycle stage. The “software:(name:)” and 
“software:(lifecycle.stage:)” tokens are supported in the Asset Inventory application. 


Use the “Agent Version Distribution” widgets in the CA Dashboard. 
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Cloud Agent Dashboard 


lı] WINDOWS VERSION D... „ıl LINUX VERSION DIST... |)| MAC VERSION DISTRI... 


ng 
4.3.05 4.1.04 3.1.5 4.2.04 3.1.0 26.04 2.4.05 26.7. 


= Click on any version distribution to display its agent hosts. 


Click on any version number in the bar chart to display its agent hosts. 
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Best Practices for Agent Binary Upgrade 


= Use the auto upgrade feature or upgrade agents quarterly: 


* Recommended: Enable auto update to take advantage of Qualys’ 
latest agent features. 


Good: Certify and upgrade agents via a third-party software package 
manager, on a quarterly basis. 


Minimum: Upgrade agents via a third-party software package 
manager, on an as-needed basis. 


= Qualys also recommends upgrading Gold Image builds quarterly, 
even if auto-upgrade is enabled. 


Although not all hosts are candidates for the agent auto-upgrade feature, Qualys 
recommends using this option wherever possible to take advantage of the latest 
agent features. 


When using third-party software distribution tools to upgrade agents, Qualys 
recommends performing agent upgrades quarterly. At a minimum, upgrade all EOS 
agents and continue to keep agents upgraded on an as-needed basis. 


Qualys recommends updating Gold Image builds quarterly, even if auto-upgrade is 
enabled. 
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Third-Party Tool Tips 


= Windows agent upgrades require the PatchInstall parameter: 
QualysCloudAgent.exe PatchInstall=TRUE 


«= TheCustomerIDandActivationlID arguments are not required 
when performing an agent upgrade. 


When performing agent upgrades in a mixed environment (i.e., both third- 
party tools and Qualys auto-upgrade are used), ensure your third-party 
installation packages only upgrade agent versions that are less than the 
version number you are deploying. 


*Duplicate agent records may potentially be created in your account, if third-party tools 
attempt to upgrade agents that have already been upgraded to the current version (via 
Qualys’ auto-upgrade). 


® Qualys. 


Here are a couple of tips when upgrading agents: 
Windows agent upgrades must be performed using the PatchInstall parameter. 


Do not attempt to use the CustomerID and ActivationID parameters when upgrading 
agents. 


Ensure your third-party installation packages are designed to upgrade agent versions 
that are less than the version number you are deploying. This will help to prevent 
adding duplicate agent host records to your account. 
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Configuration Profile: Blackout Windows 
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Blackout Windows 


| Configuration Profile Edit l Prevent communication 
between agents and the 


Qualys Platform at 
Ganaral info You can add biackoul windows lo seep Ihe Cloud Agents network aciaty dormant during cetan 


penods of Ihe wees. | hve wii prevent communcslon beiween the agen! and Ihe pkallunmm dunng specified ti mes of the 
each window. Ins can be uselul fl you wam your agents lo word commurscaling over Ihe 
network during peak busıness hours week. 


Performance Blackout windows 


You can creale ary number of Diackoul windows for Wis corfguralion. | he apem wil nol opersie This is useful if you want 
Axaign Hosts dunng ary ol these windows. 
your agents to stop 
communicating during 
expected times of heavy 
or increased network 
a Add nother window traffic. 


Edit Mode Configure blackout windows 


Agent Scan Marge 1. Blackout window = [einen werk 
VM Scan Interun! Berka Cops” sun EiMm ne Five EX thy Em Set 
lector time fron RD AM ¥ » o: ¥ 


PC Scan interval 


SCA Scan interval 


® Qualys. 


You can add blackout windows to stop communication between the agent and the 
Qualys Cloud platform, at specified times each day of the week. This can be 
especially useful when coordinating the communication flows for different groups of 
agents, or simply use this option to stop agent communications during expected 
times of peak network traffic. 
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Configuration Profile: Performance 
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Performance 


Configuration Profile Edit 


Edit Mode Configure Agent Performance 


General Info |hese setvngs govern how an agent behaves, trom how offen it checks into the Qualys Cloud 
platform, to how often It checks the host for changes. It also includes performance settings that 


conirel CPU and network ulilizatior. 
Blackout Windows 


Performance 
Select ane of the performance levels below. Keep the default Customize 


settings or customize them 
Assign Hosts 


LOW 
Agent Scan Marge 


VM Sean interval & 


PC Scan Interval 


= Select default preset levels (LOW, NORMAL, or HIGH) or turn-on the 
“Customize” toggle switch. 


® Qualys. 


To control the amount of system or network resources used by each agent, you can 
use the preset performance settings of (LOW, NORMAL, or HIGH). Or use the 
"Customize" option for more granular control. 
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Performance - Agent Status Interval 


Agent Status Interval* sec(900 - 2700) 
Push interval in seconds to update system with Agent's status 


Agent calls home regularly to check for new updates or actions: 


New manifests 
Configuration Profiles 


Download installers for new 
agent versions 


Synchronization checks 
Activate/Deactivate modules 
Uninstallation commands 


All communication between an agent and the Qualys Platform must be initiated by the agent. 


The agent communicates to the Qualys platform at regular, configurable intervals (15 - 45 
min.) to receive any new content or actions to perform. The request/reply is typically small in 
size (usually less than 1 KB). 


The content or actions received through the Status Update include: 
e New manifests 

e Configuration Profiles 

e Download installers for new agent versions (if configured) 

e Re-provisioning commands 

e Re-synchronization commands 

e Activate/Deactivate application modules 

e Uninstallation commands 
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Performance - Agent Bandwidth Usage 


Delta Upload Interval* sec(1 - 1800) 
Interval an agent attempts to upload detected changes 


Chunk sizes for file fragment uploads* KB(64 - 10240) 


This is the upload block size, and combined with the above Network throttle Tx, 
determines network utilization 


Using the settings illustrated above a 4 MB data transfer will be broken-up into 
4 chunks, each sent 10 seconds apart. 


When an agent is ready to transmit a “snapshot” to the Qualys Cloud Platform, the 
“Chunk sizes for file fragment uploads” setting will determine whether the 
“snapshot” file will be broken-up into smaller fragments or chunks. 


If more than one “chunk” is to be sent to the Qualys Cloud Platform, the “Delta 
Upload Interval” setting determines the amount of time between individual “chunk” 
transmissions. 


Data collections are compared to latest snapshot and only changes (deltas) 
are uploaded to the Qualys Platform. 
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Bandwidth Considerations For Large Deployments 


= Bandwidth usage is typically greatest at agent deployment (e.g., initial data 
transfer does not have same efficiency as delta transfers). 
Consider creating a special “Deployment” Configuration Profile that uses LOW 
bandwidth performance settings and/or Blackout Windows. 
If agent deployment covers a wide geographic area, identify the number of 
deployment locations and the total number of agents per location. 


Stagger agent deployments if many hosts are in the same location. 


Leverage the Qualys Gateway Service (QGS) for: 
* Consolidate agent communications and data transfers. 
* Cache agent downloads and manifests. 


Bandwidth usage is typically greatest at agent deployment (e.g., initial data transfer 
does not have same efficiency as delta transfers). When deploying agents in an 
enterprise (large) environment, consider spacing out your deployment over time and 
wide geographic areas. Consider creating a special “Deployment” Configuration 
Profile that uses LOW bandwidth performance settings and/or Blackout Windows. 


If agent deployment covers a wide geographic area, identify the number of 
deployment locations and the total number of agents per location. You likely do not 
want all your agents calling home at the same time. Stagger your deployment over 
hours or days if located in the same location. 


Qualys Gateway Server provides proxy services for cloud agents. It an be used for 
assets that don’t have direct internet access or when you want to optimize 
bandwidth. 


Leverage the Qualys Gateway Service (QGS) to: 
Consolidate agent communications and data transfers. 
Cache agent downloads and manifests. 
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Performance — CPU Limit & Throttle 


« How Long Does It Take an Agent to Collect Data? 
WINDOWS SPECIFIC PARAMETERS (vers 


CPU Limit* %o(2 - 100) 
Defines the percentage limit of the processor core(s) used by the agent. Lower 
percentages reduces CPU utilization at the expense of longer execution times. 


LINUX/MAC SPECIFIC PARAMETERS (ver 


CPU Throttie* ms(0 - 1000) 


The higher this value, the lower CPU utilization but longer agent takes to perform 
actions on It's host 


|” 


While the agent “Data Collection Interval” setting determines how often or frequently 
an agent collects assessment and inventory data, the CPU Performance settings 
determine how quickly or slowly the agent goes about the task of data collection. 


For Windows, faster data collections speeds are associated with higher “CPU Limit” 
percentages and slower data collection speeds are associated with lower “CPU Limit” 
settings. 


For Unix/Linux, faster data collection speeds are associated with lower “CPU 
Throttle” values and slower data collection speeds are associated with higher “CPU 
Throttle” values. 


Windows agents are single threaded, and only consume a single CPU core--to 


calculate the real CPU usage on a four core system, divide the CPU Limit percentage 
by 4. On an eight core system, divide the CPU Limit percentage by 8. 
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CPU Throttle & Limit Comparison 


O ms Fastest data collection 


1-10 ms Best trade-off between CPU 


11-20 ms usage and scan performance 


20+ms Slower data collection 


The middle (blue) rows in this table represent the agent performance sweet spot. 
This is a good place to start and attempts to balance agent performance with CPU 
usage. Adjustments should then be made higher or lower, according to available 

resources and performance needs. 
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Configuration Profile: Assign Hosts 
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Assign Hosts 


Configuration Profile Edit 


Edit Mode Assign hosts to this profile 
General Info By Asset Tag 


Gloud Agent hosts that have a corresponding tag wil ger miis profile. Fach Coud Agen host can 
Blackout Windows ; ity bd 7 
nave only 1 profile assigned. When mullgie orofiles match a hosi, well assign Ihe profile ossad 
an ihe order In the profilas Ist 


Pariormance 


Include hosts thal havs Ane ~ of the begs below. Selec. | Creare 
{cau es 


Agem Scan Merge 
Exclude hosts hat havn Aw we of oe lags haine 
VM Scan Interval 
tags i re) 


PC Sean Interval 


By Name 
SCA Scan Interval 


ye ll aways use this profile for Ihe Goud Agent haste you choose below. 


forts hosts wa20" Gdtw21C em 


Assign host assets 
to a Configuration 
Profile by Asset 
Tag or Host Name. 


BEST PRACTICE: 
Rely on Asset Tags 
to assign hosts. 


® Qualys. 


Agent hosts can be assigned to a configuration profile by Asset Tag or explicitly by 


name. 


BEST PRACTICE: Rely on Asset Tags to assign hosts. 
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Activation Key Tag Strategy 


BEST 
PRACTICE: 
Assign “static” 
tags to agent 
Activation Keys 


Activation Key 


Edit the activation key 


An activation key is used to Install agents. Ths GESGUUET TC a tae e 
account. By defaut Hrs key is unlimited - it allo 


Tre CA Lab Rey 


Assign hosts to this profile 


By Asset Tag 


{ CA Lab Cioud Aport nosis fiat have a oomesponding wg wE goi the polle. Each Coud Agont 
hodt can In Onty 1 pote grad. When fmutipie prolis math à hodi well akioga ihe 
pofle based on the order in ine proies bå 


and use them to 
ensure agent | 

2 Provision Key for these applications include hosts hui hove Ay ~ Of the lage below 
hosts receive (a 
their appropriate o Gece 
performance A Vneraty Managerment 
settings, E E tere 
patching Merten 
licenses, and 
patch job 
assignments. 


Csciude honis Gut hove Ay =~ of the tage below 


Gy Name 


Wel always use fhis profe for the Cloud Agent hosts you Choose teow 


Age t hosts 


Assign a “static” tag to each agent Activation Key to easily locate the agent hosts it 
deploys. You can then use the same “static” tag to assign these hosts to their 
Configuration Profile 


BEST PRACTICE: Use this strategy to assign agent host assets to their appropriate 
profiles, licenses, and jobs (at the time of agent deployment). 
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Configuration Profile: Agent Scan Merge 
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Remote Only QIDs 


= A Qualys Scanner’s 
“remote” perspective is 
required to detect 
“Remote Only” QIDs. 


Perform supplemental 
scans for agent hosts that 
are impacted by “Remote 
Only” QIDs. 


These hosts will have 
both SCAN data and 
AGENT data. 


® Qualys. 


Supplemental scans (using a Qualys Scanner Appliance) may be performed on agent 
hosts, to provide coverage for “Remote Only” QIDs. 


Agent Scan Merge 


Configuration Profile Edit 


Enable Agent Scan Merge in the 


agent Configuration Profile to Edit Mode Configure Agent Scan Merge 
expose the Agent Correlation General info Dinaminis HE) 
Identifier. Blackout Windows a aw 
The agent will attempt to bind to oes 

the lowest available TCP port, in = Dew 

the range of 10001 through On Premise Detection 


10005. 


Use the “Bind All” option to bind SCA Scan interval 
on all ports simultaneously. em 


Configure “On Premise Detection” to expose the Agent Correlation Identifier only when 
on a trusted network. 


© Qualys. 


Qualys Scanner Appliances produce SCAN data. Qualys Agents produce AGENT 
data. When a Qualys Scanner is used to scan a host that already has a Qualys 
Agent installed, both SCAN data and AGENT data records are collected and 
stored. 


SCAN data and AGENT data can be successfully merged, when both types of 
records contain a common field or attribute. The Agent Correlation Identifier 
provides this common attribute. 


When Agent Scan Merge is enabled in a Configuration Profile, the Agent 
Correlation Identifier is exposed on TCP ports 10001-10005. By default the 
lowest available port number will be used. Use the “Bind All” option to bind on 
all five ports simultaneously. 


Configure “On Premise Detection” to expose the Agent Correlation Identifier 
only on a trusted network. An IP address range configured to: 0.0.0.0/0 enables 
this feature for all agent hosts. 


Once Agent Scan Merger is enabled, the ‘agentid-service’ can be viewed from 
Windows Task Manager or within a Unix/Linux process list. Use the netstat 
command to view its assigned port number(s). 
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Unique Asset Identifiers 


Asset Tracking & Data Merging 


Accept unique asset identifiers and choose how we'll 
merge results from scanned IP interfaces and cloud 
agents for an asset. 


From Qualys VM or VMDR Asset Tracking and Data oy 
accept the “Agent 
Correlation Identifier” option 


Go > 


results of chud agents or IP scans (authenticatec/unauthenticated) 


(Assets > Setup > Asset Asset Tracking & Data Merging The dala marging option wil allow you to decide how the data 
À , merging should happen for these scan results that uses agent 
Tracking & Data Merging). correlation identifier. Note: For thie feature to work, please make 


sure that Agent installed on Windows hosts has version 4.2 or later 
and Agent installed on linux hosts has version 3.1.0 or later. Please 
also enable ‘Asset Scan Merge’ option in configuration proflia(s) 

through Cloud Agent > Agent management page. 


O Accept Agent Correlation Identifier 
You agree to use agent correlation Identifier ge 


Dedine Agent Correlation Identifier 
You do nol agree to use agent correlation idenlifier. 


Qualys Scanner Appliances 
will attempt to read the 
correlation identifier when 
scanning agent hosts, 
allowing the SCAN data to 
be linked to its associated 
agent. 


© Qualys. 


Once the Agent Correlation Identifier is accepted, within the “Asset Tracking 
and Data Merging Setup” options (in Qualys VM or VMDR), Qualys Scanners will 
attempt to read the Agent Correlation Identifier from agent hosts. 


AGENT data and SCAN data can be successfully merged using the Agent 
Correlation Identifier attribute. 
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Reporting Strategies & Best Practices Training 


Recommended Sequence for Vulnerability Management: 
1. Vulnerability Management Self-Paced Training 
2. Global IT Asset Inventory and Management Self-Paced 
Training 
3. Scanning Strategies and Best Practices Self-Paced Training ge 
4. Reporting Strategies and Best Practices Self-Paced 
Training 
5. Patch Management Self-Paced Training 


For a detailed discussion of Asset Tracking & Data Merging options, see 
the Qualys “SSBP" and “RSBP" self-paced training courses. 


© Qualys. 


For a complete description of the different Data Merging options in Qualys VM and 
VMDR, please enroll in the Qualys “Scanning Strategies & Best Practices” self-paced 


training course. 
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Configuration Profile: Agent Data Collection 


81 


Interval vs. Event-Driven Data Collection 


Configuration Profile Edit 


Configure Scan interval for Vulnerability Management 


Configure ne mierval at etch Me apert collects data tor VUlneradéty Managemen tr he 
assets assocaies wth Ps prote 


Osta Cofiection betervet* 


The Orne apee beteser the compietor J te preeous scar and fe wart of fe 
roe vr 


2 un 


VM, PC, and SCA collect data at 
configured intervals. 


FIM and EDR capture host events as they 
occur. 


Patch assessment scan intervals are 
configured within the PM application. 


The remaining options, allow you to customize the data collection methods used by 
agent hosts. Some Qualys applications collect data at user-defined intervals and 
other applications capture events as they occur on the host. 


Focusing on data collection allows the agent to remain relatively lightweight, while 
sending the collected data to the Qualys platform for assessment and enrichment. 


VM, PC, and SCA provide user-defined intervals for data collection, while FIM and EDR 
use event-driven techniques. Although Patch Management (PM) provides user- 
defined intervals for its patch assessment scans, this setting must be configured 
within the PM application. 
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Scan Intervals 


Data Collection Interval* 


The time lapse between the completion of the previous scan and the start of the 
next scan 


min (240 - 43200) 


Data Collection Interval setting specifies the frequency of VM, PC, and SCA 
scans. 


At each interval agents perform assigned tasks and collect host metadata (as 
specified in the application manifest(s). 


To complete each interval, collected data is transferred to the Qualys Platform for 
processing. 


NOTE: The countdown to the very next interval will begin as soon as the data transfer 
and post-processing steps have been completed. 


USE-CASE: You're using a third-party patching tool and you want to validate 
successful vulnerability patches, immediately? 


© Qualys. 


The VM, PC, and SCA Scan Interval setting determine how often Cloud Agent collects 
vulnerability and compliance assessment data. Configured at its minimal value, data 
collections will occur every four hours. 


NOTE: The countdown to the very next interval will begin as soon as the data transfer 
and post-processing steps have been completed. The countdown to the next interval 
begins at the END of the previous interval (i.e., it does NOT begin at the START of the 
previous interval). 


The solution to the use-case in this slide calls for the ability to run “on-demand” 
agent scans. 
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scan Delay and Scan Randomization 


Scan Delay* 


The time added to the start of scanning, both for new installs and for interval 
scanning. Value of 0 (zero) means no delay added. 


min (0 - 720) 


Scan Randomize* 


The range of randomization added to Scan Delay to offset scanning. For example, 
if the randomization range is 60 mins, then a random number between 1 and 60 is 
calculated and used to delay the start of the next scanning interval. Value of 0 
(zero) means no randomization will occur. 


min (0 - 720) 


Scan Delay and Scan Randomize are supported for Windows Cloud Agent 4.4 and greater 


The use case for this would be to make sure that all agents don’t send the data to 
platform at the same time. It can be seen as a means to stagger the communication, 
so that impact on the network is reduced. 


Additional Use cases for this: 


Client VDI all starting at 9am when employees start working 

Elastic cloud when 1000s of assets are deployed at the same time 

Agent assets in Blackout Windows all start processing at the same time 

When new manifests come out, especially for remote office locations and slow links 
When new agent installer versions come out 
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On-Demand Scan 


= Manually perform VM, PC, SCA, UDC, and inventory 
scans on Windows and Linux agent hosts. 


Application module must be activated and its associated 
manifest must be downloaded, prior to performing an 


“on-demand’ scan. 


A successful “on-demand” scan will reset the countdown 
to the next scan interval. 


You can run an On Demand Scan to instruct the agent to immediately scan as long as 
the agent is not already scanning. 


The target application module must be activated and its associated manifest 
must be downloaded, prior to performing an “on-demand” scan. 


The On Demand Scan runs independently of the interval scan that you configure in 
the Configuration Profile and will reset the scan interval on the local agent after a 
successful scan. 
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On-Demand Scan Examples 
= On-demand scans for Windows are configured in the Windows Registry. 


Cornputer\HKEY_ LOCAL MACHINE\SOFTWARE\Qualys\QuahiAgent\ ScanOnDemand\Vulnerability 


Name Data 
| | (Default) (value not set) 
| T| ScanOnDemand 0: 00000001 (1) 
MD ScanOnstartup 000000001 (1) 


Om 
| HKEY_CLASSES ROOT 
_ | MKEY_CURRENT_USER 
v | HKEY_LOCAL_MACHINE 
v | | SOFTWARE 


v fa Qualys 
v  QualysAgent 
v ie ScanOnDemand 


Vulnerability 


= On-demand scans for Linux are executed from the command line. 


># ./cloudagentctl.sh action={demand} type=vm 


® Qualys. 


On-demand scans for Windows are configured in the Windows Registry and on- 
demand scans for Linux are executed from the command line. Please see the lab 
tutorial supplement for this course for more examples and details for running on- 
demand scans for Windows and Linux. 


The same command of LinuxOS can even be used for MacOS. 
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Event-Driven Data Collection 


Configuration Profile Edit 


Fo bréag loaiadig Coniguueten Events are captured and logged as 
un - €D they occur for FIM and EDR. 


Endpoint Detector and Keeporee 
Crate LOR moase fo fee prote 
Veer? Pre Deteee) RE Deve sent E Me berver 


Corfguraton 
De me RE et 
Pins beum dm stage fer FIM Cele” 


Usare dm mage fe ! Des 


Mia ewer! bay sure” 


Patent tae h rad h pen 


Peytoed threshotd time* 
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Event log payloads are transferred to the 
Qualys Platform at frequent intervals. 


Kernel drivers allow agents to collect event data for FIM and EDR, as the events occur 
on the agent host. The “Payload Threshold Time” setting specifies the frequency of 
event log transmissions to the Qualys Platform (anywhere from 30 to 1800 seconds). 


Data Collection Summary 


Data Collection Intervals 
+ VM, PC, and SCA scans are performed every 4 hours to every 30 days. 
Inventory scans are performed daily. 
* Patch assessment scans (configured in the PM application) are performed every 4 


hours to every 30 days. 
On-Demand Scans 


* Perform “on-demand” VM, PC, SCA, UDC, and inventory scans on Windows and 
Linux agent hosts. 


Event-Driven Data Collection 
+ Events are captured and logged as they happen for FIM and EDR 


* Logged events are transferred to the Qualys Platform at frequent intervals (i.e.., 
Payload Threshold Time (30 — 1800 seconds). 


® Qualys. 


This slide provides a summary of the various agent data collection methods. 


Agent data collection methods are dependent on the Qualys application module. 


Download Manifests 
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Application Manifests 


A “manifest” identifies the tasks to be performed and data to be 
collected by the agent. 


Qualys Application Modules have their own separate manifests. 


When a new application module is activated for an agent host, the 
agent receives a new manifest and data collection begins. 


Application modules frequently send updated manifests to agents. 


« Example: New QIDs added the the Qualys Knowledgebase may require 
additional data collection. 


« Data collection will also begin following the download of an updated manifest. 
® Qualys. 


A manifest identifies the metadata an agent will collect from its host for a given 
application. Qualys Application Modules have their own separate manifests. 


When a new application module is activated for an agent host, the agent receives a 


new manifest and data collection begins. Data collection also begins after an agent 
receives an updated manifest. 


Manifests get updated regularly, especially in the case of VM where Qualys is 
continually adding new vulnerability signatures to our KnowledgeBase. 
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Manifest Type | Description ' Data Collection 


Inventory Collects asset inventory such as hardware, Daily Intervals 
software, active services, etc... 


Vulnerability Collects data defined by QIDs in the Qualys User-Defined Intervals (240 - 
Vulnerability KnowledgeBase. 43200 min.) 


PolicyCompliance Collects System Defined Control (SDC) datapoints User-Defined Intervals (240 - 
defined in the PC Control Library. 43200 min.) 


UDC Collects User Defined Control (UDC) datapoints Four-hour intervals 
defined in the PC Control Library. 


SCA Collects compliance datapoints defined in CIS User-Defined Intervals (240 - 
Policy Controls. 43200 min.) 


AutoDiscovery Automatically discovers host middleware Four-hour intervals 
technologies. 


MiddlewarePC Collects compliance datapoints for host Four-hour intervals 
middleware assessments. 


FIM Collects events for targeted file and directory Event-Driven (Payload 
changes and modifications. threshold time 30 - 1800 sec.) 


EDR Collects events for targeted processes, process Event-Driven (Payload 
mutex, registry keys, and suspect file locations. threshold time 30 - 1800 sec.) 


® Qualys. 


This table provides a summary of manifest types along with their respective data 
collection methods. 


Agent — Platform Synchronization 
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Host Snapshot Synchronization 


Both Cloud Agent and the Qualys Cloud Platform maintain a copy of 
the host snapshot. 


Delta processing includes integrity checks to ensure the snapshot 
on the host matches the snapshot in the Qualys Platform. 


If integrity check fails, the agent will automatically re-synchronize 
with the Qualys Platform. 


Digital signatures are used to validate communications between 
agent and platform. 


© Qualys. 


The delta processing feature of the Cloud Agent includes a synchronization 
mechanism that guarantees that local snapshot files and the data processed by the 
platform are the same. If the integrity check fails on either side, the agent will re- 
synchronize (called “scorch” internally) where both the agent and the platform delete 
existing snapshot data and start as if a newly provisioned agent. This process is 
performed automatically, if synchronization checks fail. 
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Activate, Deactivate & Uninstall Agents 
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Activate Application Modules 


Provision Kay for these applications 


Ey Asset Inventory Patch Management ' 
a Deploy Cloud Activations managed by Al z 37 Activations Remaining 


Age nt Activation | vm | Vulnerability Management Policy Compliance 


97 Activations Ramaining J7 Activations Remaining 

Key with module(s) 
= ; Endpoint Datection and Response Fite Integrity Monitoring 
already enabled. r 97 Activations Remaining - 97 Activations Remaining 


=r A Secure Config Assessment 
nm 100 Activations Remaining 
View Asset Details 


Add Tags 


A an « Activate module(s) from agent host's 
| “Quick Actions” menu (for agents that 

Deactivate Agent 

Uninstall Agent have already been deployed). 


Deactivate Agent for FIM or EDR or PM or SA 


® Qualys. 


Qualys application modules (selected within an agent Activation Key) are activated at 
the time of agent deployment. Application modules can also be activated from the 
“Quick Actions” Menu of any agent hosts. 


1. 
2. 


Lab Tutorial 6 


Activate, Deactivate & Uninstall Agents (pg. 29) 


Deactivate the PC application module for an agent host 
From the “Agents” tab, uninstall agents from three hosts, using the “Actions” 
button in the Cloud Agent UI 
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Deactivate Application Module 


Quick Actions 


View Asset Details 


Deactivate Agent 


Add Tags Deactivate this cloud agent for the modules selected below. 
Assign Contig Profile 
Activate Agent Onactvale an agent for the selected applicators. [he agent wil no longer pertonmn assessmonms tor 
ano icaions that are deactivated and will pu gerenove orevious assesaments stored in the Qualys 
platform 
Uninstall Agent 
Vulnerability Management 


Lo veted Your agent{a) ae activated far VM 


> total activations 


Deactivate individual 

application modules Sun 

for agent host an egent|2) will be deactivated for SCA and marked avaiable 
assets. 14 availeble of 15 total activations 


Application modules can be deactivated for one agent host and then activated for 
another. 


, 


To deactivate an Agent Module, select “Deactivate Agent” from the “Quick Actions’ 
menu. Then turn-off the targeted module, before clicking the “Deactivate” button. 


A deactivated module can also be re-activated by using the “Activate Agent” option 
from the “Quick Actions” menu. 


Uninstall Cloud Agent 


Quick Actions 
View Asset Details 


Recommended: uninstall CA using the Add Tags 


“Uninstall Agent” action in the UI or API. aa 
Activate Agent 


Deactivate Agent 


Uninstall task will be performed at the very next Status Interval. 
Agent license will be made available to other hosts. 


Steps to clean-up AGENT data are performed automatically (SCAN 
data is not impacted). 


© Qualys. 


Selecting the “Uninstall Agent” option from the “Quick Actions” menu of any agent, 
will remove the agent from its host the very next time it checks-in. Any asset 
inventory, vulnerability, or policy compliance data is purged from the platform. 


Agents must be uninstalled from the Qualys UI of API to ensure appropriate data 
clean-up measures are performed. 
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Bulk Agent Updates 


The objective of this section is to understand the different option for updating agents 
in bulk. 
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Actions Button 


am Agent Management 


Activation Keys Configuri 


— «= Within the Cloud Agent 

ore ar application, select multiple 
Assign Contig Praile | agent hosts and use the 
SE Perform actions | compi “Actions” button to perform 


on multiple : 
agent hosts. tasks in bulk. 


Deactivate Agent 
Asegn UDC Manilest 
Uninstall Ager 


Deactivate Agent for FIM or IOC or PM or SA Execute queries to help 


Win... 


Clear selections filter agents for selection. 


ws2016dfw210 EB Microsoft Win... 
192.166.1.210, fed... 


Select multiple agent hosts from the Cloud Agent Ul and then use the “Actions” 
button to perform updates in bulk. 


100 


Edit Activation Key 


= Add or remove application 
module(s) and choose 
“Update for all agents.” 


This method covers 
present as well as future 
agent deployments. 


Activation Key Turn help tipa 


Edit the activation key 


An activation key is used to install agents, This provides a way to group agents and better manage your 
accoun. By default this key is unlimited - it allows you to add any number of agents at any time. 


Title AWS Activation Key 


Select | Create 


Provision Key for these applications 


Asset Inventory ‘ Patch Management 
Activabons managed by Al 197 Activations Remeining 


Vulnerability Management - Policy Compliance 
97 Activations Remaining Í 97 Activatons Remaining 


Endpoint Detection and Response File Integrity Monitoring 
97 Activations Remaining 97 Activatons Remaining 


Secure Config Assessment 
100 Actvations Remaining 


_ Set limits 


Apply changes to all the existing agents go 


Close Unienited Key Save 
———— 


Adding and removing application modules can be performed for all existing agents 
using their associated Activation Key. Simply select the “Apply Changes to all existing 
agents” option. Future agent deployments will receive the updated module 


configuration. 
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Cloud Agent API 


Uninstall Agents 


Sample - Uninstall agents in bulk 


API request 


curl -u fo_username:password -X POST -H "Content-Type: text/xml” -H 
"Cache-Control: no-cache" --data-binar uninstall all agents.xml 


Contents of uninstall_all_agents.xml 


<?xml version="1.0" encoding="UTF-8" ?> 
<ServiceRequest> 
<filters> 
<Criteria field="tagName" operator="EQUALS" > loud 
Agentk/Criteria> 


</filters> 
</ServiceRequest> 


Agents can be uninstalled in bulk using the Cloud Agent API. 
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Agent Purge Rules 


Qualys AssetView 


Confirmation - Purge Assets 
Purge rules run daily. 


A Purging assets is irreversible. This action cannot be undone! Create rules to 
automatically purge 

_) Save my purge rule agent host assets from 

Your purge rule will run daily. All assets matching your rule will be purged. your accou nt by: 


Please note: lastActivity 


- Assets and associated asset data will be removed from your account 
- Scan results from scanners will remain on your account lastCheckedin 
- For assets with cloud agents, the agents will be uninstalled and li ill be freed à 
with c ge ag wi uni ed and licenses wi reed up activatedForModule 


Are you sure you want to save the rule? agentActivationKey 
agentVersion 


| Contirm configurationProfile 


® Qualys. 


Purge Rules (provided in the AssetView application) will remove agent assets from 
your account, based upon various agent statuses and configurations: 


e lastActivity 

e lastCheckedIn 

e activatedForModule 
e agentActivationKey 

e agentVersion 

e configurationProfile 
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Last Reminders 


Certification Exam 
30 multiple choice questions. 
Answer 75% of the questions correctly to receive a passing score. 


Candidates will receive 5 attempts to pass the exam. 


You may use the Cloud Agent presentation slides and lab tutorial supplement to help you answer the 
exam questions. 


Trial Account 
https://www.qualys.com/free-trial/ 


Training Survey 
https://forms.office.com/r/rsyOAja6Xz 


See the bottom of Swapcard session for the links to all 3 


The link to enrol for the course and the certification exam is 
httos://gm1.geolearning.com/geonext/qualys/scheduledclassdetails4enroll.geo ?&id= 
22511237821 


Please consult the Lab Tutorial Supplement for information regarding registration for 
the Cloud Agent course certification exam. 

NOTE: We recommend that you take this certification exam at the earliest possible 
convenience. 


You can request a free Qualys limited trial account by submitting a request on this link 


https://www.qualys.com/free-trial/ 
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Q 


Thank You 


training@qualys.com 
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